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ABSTRACT 


This paper deals with the survey of android application security detection methods based on the permissions. To combat a 
serious malware campaign, we need a scalable malware detection approach that can effectively and efficiently identify 
malware apps. The proposed survey is to provide the different models to detect the android security of the applications 
based on the permissions that the applications request from the users during installations. Accuracy, precisions, recall 
values are calculated using true and false positive and negative rates, depending on these the best models are selected to 


detect the security of the android application. 


KEYWORDS: Attacks, Android Security, Permissions, Methods 


Article History 
Received: 21 May 2020 | Revised: 30 May 2020 | Accepted: 04 Jun 2020 


INTRODUCTION 


Quick advancement in android Technology has expanded the danger of intrusion. At that point, the android operating 
system uses the permission based model, which allows Android applications to access user information, system 
information, device information, and external resources of smart phones. The designer needs to declare the permissions for 
the Android application. The user needs to accept these permissions for the successful installation of an Android 
application. These permissions are declarations. At the time of installation, if the permissions are allowed by the user, the 
app can access resources and information anytime. It needs not request for permissions again. The android operating 


system is susceptible to different security assaults because of its shortcoming in security. 


Why Android Application Security is Important 

With the number of android device users increasing year after year, the need for mobile security is also gaining ground. 
Android phones have now become vulnerable because of the rapid progress in the mobile phone industry and the 
introduction of cloud services and apps. In other words, android security has yet to reach millions of users, unlike the 


progress seen in the overall usage of smart phones. 

The Two main reasons why android security are important due, 
e Android security protects you against malvertisers 
e Android security protects your private data 


To provide the security, android security detections methods play a important role in safeguarding the android 


applications. 
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SECURITY ATTACKS IN ANDROID 
Permission Escalation Attack 


It allows a malicious application to collaborate with other applications so as to access critical resources without requesting 


for corresponding permissions explicitly. 
Collision Attack Android Supports Shared User ID 


It is technique, wherein two or more application shares the same user id so that can access the permissions, which are 
granted to each other. For example, if application A has permissions to READ CONTACTS, READ_PHONE_STATUS 
and B has permissions to READ_MESSAGES, LOCATION_ACCESS, if both the applications use the same user id 
SHAREDUSERID, then it is possible for application A to use the permissions granted to it and the permissions granted to 
B. 


Time of Check and Time of Use Attack 


The primary purpose behind the TOCTOU Attack is naming collision. No naming rule or constraint is applied to a new 
permission declaration. In addition, permissions in Android are represented as strings, and any two permissions with the 


similar name string are treated as equivalent even if they belong to discrete applications. 
Spyware 


Spyware is a kind of malware. It is an apk file which is downloaded automatically when the user visits malicious site and 
applications installed from obscure sources. In Android, other than Google play store, it is possible to install the 
applications from unknown sources. Spyware is one of the main reasons for significant security threats Android operating 


system. 
UNDERSTANDING PERMISSIONS 


The Android operating system utilizes the permission-based model to access different resources and information. These 
permissions are not requests; they are declarations. These permissions are declared in the AndroidManifest.xml file. In 
Android, android versions 7 and higher the application permissions are classified into normal permissions and dangerous 


permissions. 
Normal Permissions 


Normal permissions don't unequivocally risk the customer's protection and permission need not be pronounced in the 


AndroidManifest.xml file. These permissions are allowed naturally. Example: 
KILL_BACKGROUND_PROCESSES 

SET_WALLPAPER 

UNINSTALL_SHORTCUT 


WRITE_SYNC_SETTINGS 
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Dangerous Permissions 


Dangerous Permissions can access critical resources of the mobile. Dangerous permissions can give the app access to the 
user's private information. If the app lists normal permission in its manifest, the system grants permission automatically. If 
the app list dangerous permission, the user has to explicitly give approval for the app for the successful installation of the 


application. Example: 

CONTACTS: READ_CONTACTS, WRITE_CONTACTS, 

LOCATION: ACESS_FINE_LOCATION, ACCESS_COARSE_LOCATION, 
SMS: SEND_SMS, RECEIVE_SMS, READ_SMS, 

STORAGE: READ_EXTERNAL_STORAGE, WRITE_EXTERNAL_STORAGE. 
Misuse of Application Permissions and Failure of Two Factor Authentication 


Because of various app permissions, it is possible for various security threats. Among various threats, it is possible for 
Android applications to read messages, send messages. All confidential information based on two-factor authentication has 
been sent as a text message. For instance, different banks, online websites, etc., utilizes two-factor authentication. The 
primary target of two-factor authentication is to increase the security and integrity of the users and to avoid various security 


attacks that are based on the traditional username and password approach. 


SECURITY DETECTION METHODS BASED ON PERMISSIONS 
1. Metropolis Detection Method 


Android application's security detection method based on the Metropolis algorithm is designed. This method analyzes 
Android's 24 dangerous permissions using the Metropolis algorithm, removes uncertainty permissions, and extracts certain 
permission features. Classification technology of machine learning is used to learn and classify the feature. Example, this 
methodology uses 15 1 Android Apps samples. From the analysis, this method reduces the detection features and the 


accuracy of malicious applications. Detection accuracy can reach 93.5% [1]. 


Data collection ree a Machine Learning 
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Figure 1: System Model of Detection Method using Metropolis Algorithm. 


Metropolis algorithm gets the certain permissions from application. This system model consists of four steps: 
dataset collection, Then decompiling apk and extract apk’s certain permissions, using machine learning to train and test, 


and result analysis. Figure | shows the system model of android security detection method using metropolis algorithm. 
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Collect Apk Samples 


In this method, python program is used to crawl being Apps from the site. Malicious Apps were downloaded in the drain 


dataset. 
Apk Decompile and Feature Extraction 


Decompile the apk file with Apk Tool. Extracted the Android Manifest.xml file containing the permission declaration. 
Extract the dangerous permissions of 24 Google claims from android in the android Manifest.xml file. Then, using the 


Metropolis algorithm to extract the certain permission for malicious app detection. 
Machine Learning-Based Classification 


Machine learning is performed by deterministic permissions on the app classification. The data was trained and tested by 


J48 machine learning classification algorithms. The test method uses 1 - fold cross-validation test method. 
Experimental Results Evaluation and Analysis 


Through machine learning and classification, divides apps into benign apps and malicious apps. Then, using the Precision, 


Recall, F-Measure, Accuracy is calculated to evaluate a result. 
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Figure 2: Shows the Features Considered in Metropolis Method. 
2. Two Layered Model 


The detection model is designed based on the declared permission and consists of two layers. The first layer of detection 
utilizes an improved random forest algorithm for the analysis. The second layer detection uses sensitive permission rules 
matching to analyze the fuzzy sets generated by the first layer detection. At last, a series of evaluation methods were used 


to evaluate this detection [2] 
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Figure 3: Two Layered Model. 
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Figure 4: Shows the Features Consider in the Two Layered Method. 





Steps Followed First Layer in the Two Layered Model 
Improved Random Forest Algorithm 


Improved the random forest algorithm by introducing fuzzy sets which contain the samples with uncertain permission 
features. If the random forest is composed of M decision trees, N1 trees results are benign (malware), N2 trees results are 
malware, Where N1+N2=M. Only if IN1-N2I<6, this sample will be classified as a fuzzy sample. Otherwise, it will be 


classified as a determinate sample. 
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Collection of Android Samples 


In this method, collected 1, 3 different types of Android applications from Baidu application market, used Virus Total and 


other anti-virus software for testing. 

Number of Decision Trees 

The number of decision trees is determined by the specific data set. 
The Second Layer: Fuzzy Sets Detection 


In order to analyze the fuzzy sets, the sensitive permission groups of the malware and benign samples. The fuzzy sets are 


detected by the matching rule of the sensitive permission groups. 

Steps Followed First Layer in the Two Layered Model 
e Read the permission list of the application and sensitive permission rules. 
e Match the application permission list with the sensitive permission rules. 
e Output the result of detection 

3. SIGPID Method 


SIGPID, a malware detection system based on permission usage analysis. In this method, developed 3-levels of pruning by 
mining the permission data to identify the most significant permissions that can be effective in distinguishing between 
benign and malicious apps. SIGPID then uses Al-based classification techniques to characterize various groups of malware 
and kind applications. Evaluation finds that only 22 permissions are significant. Then compare the performance of the 
SIGPID approach using only 22 permissions, against a baseline approach that analyzes all permissions. The results indicate 
that when Support Vector Machine (SVM) is used as the classifier; it can achieve over 9 % of precision, recall, accuracy, 
and F-measure. SIGPID is more effective by detecting 93.62% of malware in the data set, and 91.4% unknown/new 


malware samples [3]. 
Multi-Level Data Pruning (MLDP) 


The First component of SIGPID is the multi-level data pruning process to identify significant permissions to eliminate the 


need of considering all available permissions in Android. 
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Figure 5: Multi-Level Data Pruning Process. 


Impact Factor (JCC): 7.8726 NAS Rating: 3.17 


Evaluating Security Detection Methods of Android Applications 7 












































MLDP 

22 Permissions 
ACCESS_WIFL_STATE READ_LOGS 
CAMERA READ_PHONE_STATE 
CHANGE_NETWORK_STATE READ_SMS 
CHANGE_WIFL STATE RECEIVE_BOOT_COMPLETED 
DISABLE_KEYGUARD RESTART_PACKAGES 
GET_TASKS SEND_SMS 
INSTALL_PACKAGES SET_WALLPAPER 
READ_CALL_LOG SYSTEM_ALERT_WINDOW 
READ_CONTACTS WRITE_APN_SETTINGS 
READ_EXTERNAL_STORAGE WRITE_CONTACTS 
READ_HISTORY_ BOOKMARKS: WEE TE 5 aTTINGS 


Figure 6: Shows the Benatar Consider i in SIGPID Method. 
This system MLDP consists of three major components, designed based on real-time data analysis: 
Permission Ranking with Negative Rate (PRNR) 


This provides a concise ranking and comprehensible result. The approach operates on two matrices, M and B. M 


represents a list of permissions used by malware samples and B represents a list of permissions used by benign apps. 


Bi 
Sp(Pj) = size(B)) * size(Mj), (1) 


Where, Pj denotes the j" permission and SB (Pj) represents the support of j"" permission in matrix B. PRNR can 


then be implemented using Equation 2: 


My ~ $o(P)) 


>M ij t Sa(P, i) @) 


R(P)) 


Support Based Permission Ranking (SPR) 


To further reduce the number of permissions is to focus on n the support of each permission. However, the support of 


permission is too low, it does not have much impact on malware detection performance 
Permission Mining with Association Rules 


Further permissions that occur together can be grouped into one, which has a higher support using permission mining with 


association rules (PMAR) mechanism using association rule mining algorithm. 


After pruning, SIGPID method employs supervised machine learning classification methods, to identify potential 


Android malware. 
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Figure 7: System Model of SIGPID. 
Machine-Learning Based Malwar Detection using Significant Permissions 


SVM and a small data set to test the MLDP model. SVM determines a hyper plane that separates both classes with a 


maximal margin based on the training dataset that includes benign and malicious applications. 


Progressively, worthwhile to use MLDP to perform malware detection as it can be as effective while notably conserving 
time and memory. Since time and memory are constrained in common computers and it tends to be outsourcing the task to 


the cloud in a reasonable manner to help efficiency. 
RESULTS 
For all the above methods mentioned results are evaluated using following assessment methods 


e §=Accuracy: Accuracy = (TP+TN) / (TP+FN+FP+TN), which means, the number of samples correctly classified by 


the detection model divided by all the number of samples. 


e Precision: Precision=TP / (TP+FP), which means the proportion of the samples, which are classified as malware 


by the detection model is actually a benign category. 


e ~=Recall: Recall=TP / (TP+FN) which means the proportion of the malware samples which are classified as 


malware by the detection mode 
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Table 1: Shows the Accuracy, Precision, Recall Values (%) of Security Detection Methods 
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CONCLUSIONS 


At long last, it infers that a malware detection methods based on permission usage analysis to adapt to the rapid increase in 
the number of Android malware can be improved based on different methods. SIGPID method detection can be taken as 
the best method compared to other methods mentioned in this paper based on the permission detection methods. SIGPID 
approach helps to identify more malicious apps (with higher recall rate), which is a significant property of an effective 


malware detector. Future can be done by considering all the advantages and implementing the method. 
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